What Organizations Must Know about The: 'Right to Be Forgotten'

What Organizations Must Know about The: 'Right to Be Forgotten'

Article excerpt

The European Union's (EU) "right to be forgotten" affects not only search engines but any organization that hosts EU citizens' information or does business in the EU. Records and information management professionals who get requests to remove information must understand the factors that should guide their decisions.

The European Union's (EU) right to be forgotten does not apply specifically to Google alone, although reports sometimes suggest it. Rather, the decision in Google Spain v. AEPD and Mario Costeja Gonzalez is the application of a more general right of erasure under the EU's Data Protection Directive of 1995, and the directive applies not just to search engines but to all organizations that control and process EU consumer data. Organizations should therefore be aware of the directive's provisions, particularly if they do business in the EU.

Under the right of access provisions of the directive's Article 12, EU individuals have the right to request that any data controller remove personal data if the information is inaccurate, inadequate, irrelevant, or excessive. Typical applications of this provision might be a request to remove misleading information on an individual's credit report or to remove inaccurate data from medical records. The Google Spain decision held that this right is not a right to the removal of records in data sets, but is a more general right to have obsolete information removed.

The Court Decision

In Google Spain, a Spanish citizen living in Spain asked that a notice of foreclosure be removed from the website of La Vanguardia, the newspaper that had originally published the public notice, and that links to the notice be removed from Google's search engine. The European Court of Justice ruled that La Vanguardia need not remove the notice from its site, in part because the notice was published in fulfillment of Spanish law, and because under the principles of the Data Protection Directive, rights to freedom of expression may counterbalance the right to erasure, especially for media companies.

Google Spain declined to be considered a media company. The court found that Google was a data controller under Article 12 and that the information about the foreclosure was no longer relevant. Google Spain was therefore required to remove all links to the notice.

The EU Court of Justice indicated that Google should consider each request on a case-by-case basis, balancing the public's interest in the information, the data controller's right to free expression, and the individual's right to privacy. It is anticipated that judgement calls will be necessary. According to Google's website on February 10, 2016, the company had approved 42.5% of the 386,038 requests to remove links it had received since it launched its official request process on May 29, 2014.

An EU directive describes an aim for the EU that must be implemented in law by member states. With 28 member states implementing distinct laws, there is bound to be inconsistency. An EU regulation is enforceable as law in the EU, the Spanish subsidiary was selling advertising in Spain, and since advertising was Google's major source of revenue, Google could be considered to be doing business in Spain.

Google has applied the Google Spain ruling by providing a form that allows users to request that links be removed. Once the request is approved, Google removes links from all of its European sites (google.es or google.uk, for example) but not from the U.S. google.com site, which is accessible in Europe. The French data protection agency has objected, claiming it makes the information too easily accessible in Europe, and has requested that the links be removed from google.com as well.

It might be possible for an organization to use a technological solution to remove the links for end users based all member states, ensuring consistency. So, in part to ensure consistency and in part to account for changes in information technology since 1995, the EU recently reached agreement in principle on a new General Data Protection Regulation (GDPR). …